Post

Mobile Useful

Collection of commands for when working with Android and iOS devices. Device must be Rooted/Jailbroken for almost all commands.

  1. Both
  2. Android
  3. iOS

Both

Objection

Another post has been created that is entirely dedicated to using Objection with Android and iOS. That post can be found here.

Search Files for String

Print files that contain a certain strings when in device shell (adb shell). Good for searching for clear-text data stored by apps:

1
grep -ril '/PATH_TO_SEARCH' -e 'SEARCH_TERM`

Search for File Name

1
2
find SEARCH_DIR -name *.sqlite
find SEARCH_DIR -name *.sqlite 2>/dev/null
  • 2>/dev/null can be used to hide permission denied errors.

Extract App Files

Use the following command to archive an entire app folder so that it can be extracted and viewed on a computer more easily:

1
2
tar -cvzf OUTPUT_FILE FOLDER_TO_TAR
tar -cvzf /sdcard/files.tar /data/user/0/com.example.app/


Android

Android Debug Bridge (adb)

The target device will need to have USB (or wifi) debugging enabled

DescriptionCommand
View Connected Devicesadb devices
View Connected Devices (with Device Info)adb devices -l
Install Package (apk)adb install local_path_to_apk
Uninstall Packageadb shell pm uninstall com.example.TestApp
Get Packages (All Packages)adb shell pm list packages
Get Packages (Full APK Path)adb shell pm list packages -f
Get Packages (3rd Party Only)adb shell pm list packages -3
Get Packages (System Packages Only)adb shell pm list packages -s
Interactive Shelladb shell
Run Command without Interactive Shelladb shell ls -la /sdcard/
Copy file TO Deviceadb push local_path remote_path
Copy file FROM Deviceadb pull remote_path local_path
View Logsadb logcat
Screenshotadb shell screencap /sdcard/screenshot.png
Screen Recordadb shell screenrecord /sdcard/record.mp4
Screen Record (with time limit)adb shell screenrecord –time-limit time_in_seconds /sdcard/record.mp4
Enable/Disable Wifiadb shell svc wifi enable/disable
Simulate KeyPress (Home Button)adb shell input keyevent KEYCODE_HOME
Simulate KeyPress (0400)adb shell input keyevent 7 11 7 7
Start Activity (Call a Number)adb shell am start -a android.intent.action.DIAL -d tel:+61400000000
Start Activity (SMS Someone)adb shell am start -a android.intent.action.SENDTO -d smsto:+61400000000 –es sms_body ‘Test SMS’ –ez exit_on_sent false
  • local refers to a location/file on the connected PC.
  • remote refers to a location/file on the connected Device (phone).
  • More keyevent codes can be found online in the Android Docs.

Wifi Passwords

NOTE: that this is a restricted folder, so the device will need to be Rooted.

  1. Go to the directory /data/misc/wifi.
  2. Wifi configuration data should be in WifiConfigStore.xml or wpa_supplicant.conf.

Network Interfaces

DescriptionCommand
Show Network Interfacesip -f inet addr show
Show Single Network Interfaceip -f inet addr show interface_name


iOS

Binary Info

Display info about an installed binary on an iOS device. Requires iOS device to be jailbroken and the Radare2 tool to be installed. Radare can be installed through Cydia:

1
rabin2 -I /private/var/containers/Bundle/Application/INSERT_ID/APP_NAME/APP_BINARY
  • -I Show binary info

Example with DuckDuckGo app:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
rabin2 -I /private/var/containers/Bundle/Application/INSERT_ID/DuckDuckGo.app/DuckDuckGo

arch     arm
baddr    0x100000000
binsz    2753920
bintype  mach0
bits     64
canary   true
class    MACH064
crypto   true
endian   little
havecode true
intrp    /usr/lib/dyld
laddr    0x0
lang     swift
linenum  false
lsyms    false
machine  all
maxopsz  4
minopsz  4
nx       false
os       darwin
pcalign  4
pic      true
relocs   false
sanitiz  false
static   false
stripped true
subsys   darwin
va       true

Screenshot Location

If you take a screenshot, the image will be stored in the following location:

  • /private/var/mobile/Media/DCIM/100APPLE/

NSAllowsArbitraryLoads

Search the app’s Info.plist file for the NSAppTransportSecurity key. Ensure the value for NSAllowsArbitraryLoads key is set to false unless there is a good reason not to.

Example:

1
2
3
4
5
<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

NSURL Caching

NSURLRequests get cached in a file called cache.db unless explicitly stated not to using the cachePolicy parameter when creating a NSURLRequest object.

This post is licensed under CC BY 4.0 by the author.